<html>
<head><meta charset="utf-8"><title>panics · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html">panics</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="171336730"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171336730" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171336730">(Jul 20 2019 at 18:04)</a>:</h4>
<p>So I've been looking at advisories like <a href="https://rustsec.org/advisories/RUSTSEC-2019-0010.html" target="_blank" title="https://rustsec.org/advisories/RUSTSEC-2019-0010.html">https://rustsec.org/advisories/RUSTSEC-2019-0010.html</a> or <a href="https://rustsec.org/advisories/RUSTSEC-2018-0003.html" target="_blank" title="https://rustsec.org/advisories/RUSTSEC-2018-0003.html">https://rustsec.org/advisories/RUSTSEC-2018-0003.html</a> plus yet-unreported bugs such as <a href="https://github.com/Frommi/miniz_oxide/issues/14" target="_blank" title="https://github.com/Frommi/miniz_oxide/issues/14">https://github.com/Frommi/miniz_oxide/issues/14</a> and it stood out to me that these issues only occur on panic. <br>
So I've been wondering, is there a reason something that doesn't actually <em>catch</em> panics would still want to have them enabled? At this point it looks like <code>panic=abort</code> is actually more secure and should be the default in the vast majority of cases.</p>



<a name="171351012"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171351012" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171351012">(Jul 21 2019 at 01:59)</a>:</h4>
<p>I think most security people would agree panic=abort is safer. Performance optimization people will agree it is more efficient (especially if using xargo to elminate <em>all</em> the unwinding logic in libstd). But people who ask me to integrate Rust into non-Rust applications have never wanted to abort on panic. Panics are just too likely in Rust. A language subset without slice operator[], and libraries built to that subset, would be needed to make those people comfortable with panic=abort.</p>



<a name="171355373"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171355373" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171355373">(Jul 21 2019 at 04:31)</a>:</h4>
<p>There is always the no_panic crate used to check that a function can't panic.</p>



<a name="171355374"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171355374" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171355374">(Jul 21 2019 at 04:31)</a>:</h4>
<p>But I think it doesn't work if panic=abort.</p>



<a name="171355413"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171355413" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171355413">(Jul 21 2019 at 04:32)</a>:</h4>
<p>It would be nice if there was better first class support for checking at compile time that a block can't panic.</p>



<a name="171355583"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171355583" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171355583">(Jul 21 2019 at 04:39)</a>:</h4>
<p>there was... something presented at one of the OxidizeConf impl days... I forget its name <span aria-label="cry" class="emoji emoji-1f622" role="img" title="cry">:cry:</span></p>



<a name="171356579"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171356579" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171356579">(Jul 21 2019 at 05:15)</a>:</h4>
<p>I don't think it was <code>no_panic</code>, it was some academic project and looked like it did a pretty rigorous analysis</p>



<a name="171356580"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171356580" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171356580">(Jul 21 2019 at 05:16)</a>:</h4>
<p>it was primarily targeting high assurance embedded use cases</p>



<a name="171356622"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171356622" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171356622">(Jul 21 2019 at 05:16)</a>:</h4>
<p>it continues to amaze me the kind of static analysis you can do on single-core embedded Rust programs which isn't possible on the language as a whole</p>



<a name="171356628"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171356628" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171356628">(Jul 21 2019 at 05:17)</a>:</h4>
<p>see also: <code>cortex-m-rtfm</code> asserting your program is deadlock-free</p>



<a name="171356752"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171356752" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171356752">(Jul 21 2019 at 05:20)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> the main reason you want <code>panic = 'unwind'</code> in release targets is so when a program crashes you get a reasonable error message. we go one step further than that and collect backtraces and other information on panic, log them to a crash reporter, then exit</p>



<a name="171356761"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171356761" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171356761">(Jul 21 2019 at 05:21)</a>:</h4>
<p>if you just abort, all of that is lost</p>



<a name="171363706"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171363706" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Hanna Kruppe <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171363706">(Jul 21 2019 at 08:55)</a>:</h4>
<p>I don't think that's true? panic=abort still prints panic message and backtrace (if enabled), and you can set up a hook that runs on panics even if they abort: <a href="https://doc.rust-lang.org/std/panic/fn.set_hook.html" target="_blank" title="https://doc.rust-lang.org/std/panic/fn.set_hook.html">https://doc.rust-lang.org/std/panic/fn.set_hook.html</a></p>



<a name="171364043"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171364043" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171364043">(Jul 21 2019 at 09:05)</a>:</h4>
<p>yeah, the key part about panic=abort is that you dont unwind. whether you abort immediately or first do some diagnostic printing does not matter.</p>



<a name="171365426"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171365426" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171365426">(Jul 21 2019 at 09:51)</a>:</h4>
<blockquote>
<p>But people who ask me to integrate Rust into non-Rust applications have never wanted to abort on panic.</p>
</blockquote>
<p>Actually, no, unwinding across the FFI boundary is undefined behaviour, and you also cannot rely on any shared data structures being in a consistent state after Rust panicked, so aborting immediately is actually the only reasonable thing Rust can do when plugged into other languages</p>



<a name="171374728"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171374728" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171374728">(Jul 21 2019 at 14:29)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> You can definitely do things after Rust panics, I don't see why that would be a problem. Even across FFI -- you just need to pass the panic through FFI as a pointer to the "panic object" via catch_unwind</p>



<a name="171374731"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171374731" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171374731">(Jul 21 2019 at 14:30)</a>:</h4>
<p>Now, that's not always possible, and you definitely need to be careful about data structures and such, but it is by no means unsound etc</p>



<a name="171375088"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375088" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375088">(Jul 21 2019 at 14:40)</a>:</h4>
<p>It's not automatically unsound as long nobody does <code>unsafe</code>, but it's usually an unexpected condition with no reasonable response but to terminate the program. Internal data structures may be left in a state that makes no sense from the application logic perspective even if it's still technically memory safe.</p>



<a name="171375100"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375100" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375100">(Jul 21 2019 at 14:41)</a>:</h4>
<p>In applications like web servers, you're basically always going to want the panic to only kill one request's worth of execution <span aria-label="shrug" class="emoji emoji-1f937" role="img" title="shrug">:shrug:</span></p>



<a name="171375106"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375106" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375106">(Jul 21 2019 at 14:41)</a>:</h4>
<p>I have no clue how panics interact with async/await btw</p>



<a name="171375161"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375161" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375161">(Jul 21 2019 at 14:42)</a>:</h4>
<p>And also, killing one request's worth of execution requires extra effort to structure the code in a way that makes it so. It's great that there is such an opportunity, but that doesn't mean it should be the default</p>



<a name="171375169"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375169" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375169">(Jul 21 2019 at 14:43)</a>:</h4>
<p>Not really in any interesting way; most runtimes will kill only that one thread and restart it quickly and you'll get an <code>Err</code> in the <code>spawn()</code> call</p>



<a name="171375181"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375181" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375181">(Jul 21 2019 at 14:43)</a>:</h4>
<p>I don't think I agree that "not automatically unsound as long nobody does unsafe" -- even in unsafe, you should be unwind-safe</p>



<a name="171375222"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375222" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375222">(Jul 21 2019 at 14:44)</a>:</h4>
<p>i.e., it must be sound to unwind even through unsafe code</p>



<a name="171375241"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375241" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375241">(Jul 21 2019 at 14:45)</a>:</h4>
<p>It's the programmer's responsibility to make it so, and we're seeing people mess that up repeatedly - see bugs linked at the beginning of this thread. So my point is that if you're not deliberately catching panics, you should be using <code>panic=abort</code> because that protects you from such unsoundness</p>



<a name="171375298"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375298" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375298">(Jul 21 2019 at 14:46)</a>:</h4>
<p>Hm, well, in some sense, yes. I agree that if you have no plan/need to catch panics as a binary crate, panic=abort makes a lot of sense. But, libraries should be written with the assumption of panic=unwind</p>



<a name="171375299"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375299" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375299">(Jul 21 2019 at 14:46)</a>:</h4>
<p>e.g. hyper uses <code>catch_unwind</code> I believe per-request to avoid bringing down the whole server</p>



<a name="171375529"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375529" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375529">(Jul 21 2019 at 14:54)</a>:</h4>
<p>Or rather, libraries should be written with the assumption of either being used as a possibility. I've seen a crate that used <code>catch_unwind</code> to mask panics on malformed inputs that were not handled correctly, and that would be very easy to crash with <code>panic=abort</code></p>



<a name="171375565"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375565" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375565">(Jul 21 2019 at 14:54)</a>:</h4>
<p>Oh, sure, yeah, I guess that's a better phrasing :)</p>



<a name="171375658"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375658" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375658">(Jul 21 2019 at 14:56)</a>:</h4>
<p>Okay, another TODO entry: write an article calling to use <code>panic=abort</code> in binary crates that don't catch panics themselves</p>



<a name="171375756"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375756" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375756">(Jul 21 2019 at 14:59)</a>:</h4>
<p>(we should make sure that panic=abort is "good enough" though -- backtraces, etc.) I think it might need some configuration today, but maybe that can be alleviated -- a crate or something that does it for you</p>



<a name="171375844"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375844" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375844">(Jul 21 2019 at 15:00)</a>:</h4>
<p>Can you even implement that as a crate? And "add extra dependency for more security" does not sound convincing to me</p>



<a name="171375851"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375851" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375851">(Jul 21 2019 at 15:01)</a>:</h4>
<p><a href="https://doc.rust-lang.org/std/panic/struct.AssertUnwindSafe.html" target="_blank" title="https://doc.rust-lang.org/std/panic/struct.AssertUnwindSafe.html">https://doc.rust-lang.org/std/panic/struct.AssertUnwindSafe.html</a> - why does this not require an unsafe block to use?</p>



<a name="171375865"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375865" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375865">(Jul 21 2019 at 15:01)</a>:</h4>
<p>Because <code>UnwindSafe</code> is a roadblock, it's not anything more than that</p>



<a name="171375871"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375871" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375871">(Jul 21 2019 at 15:01)</a>:</h4>
<p>code must be unwind safe, but e.g. Mutex use after unwinding is _probably_ not actually what you wanted</p>



<a name="171375914"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375914" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375914">(Jul 21 2019 at 15:02)</a>:</h4>
<p>I think to an extent there's not a good understanding of whether/how to deal with <code>UnwindSafe</code> + <code>AssertUnwindSafe</code></p>



<a name="171375923"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375923" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375923">(Jul 21 2019 at 15:02)</a>:</h4>
<p>bummer</p>



<a name="171375942"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375942" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375942">(Jul 21 2019 at 15:03)</a>:</h4>
<p>I got the impression last time I looked at this that basically ~all uses of catch_unwind probably get wrapped in <code>AssertUnwindSafe</code> because it's just too painful to do otherwise</p>



<a name="171375986"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171375986" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171375986">(Jul 21 2019 at 15:04)</a>:</h4>
<p>because most of the time you're not actually _doing_ anything after that unwind happens, e.g., you're killing the thread of execution or something along those lines</p>



<a name="171432495"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171432495" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171432495">(Jul 22 2019 at 13:57)</a>:</h4>
<p>somehow I've managed to do things in ways where I don't need <code>AssertUnwindSafe</code>. I think it might've been a combination of making all state either <code>Send + Sync + 'static</code> and/or owned by the thread on its stack?</p>



<a name="171434390"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171434390" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171434390">(Jul 22 2019 at 14:19)</a>:</h4>
<p>perhaps, yeah</p>



<a name="171434504"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171434504" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171434504">(Jul 22 2019 at 14:20)</a>:</h4>
<p>I don't quite recall but I think my use cases related to non-thread type stuff -- but I don't recall what exactly</p>



<a name="171436411"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171436411" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171436411">(Jul 22 2019 at 14:42)</a>:</h4>
<p>I remember rustc asking me to <code>AssertUnwindSafe</code> at one point, but after refactoring some I no-longer needed it. I think it's all about keeping the other side of the unwind boundary (i.e. the "catcher") stateless</p>



<a name="171436455"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171436455" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171436455">(Jul 22 2019 at 14:43)</a>:</h4>
<p>I have toplevel panic handlers on all worker threads</p>



<a name="171436500"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171436500" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171436500">(Jul 22 2019 at 14:43)</a>:</h4>
<p>I also use <code>catch_unwind</code> as a failsafe in places where there's nontrivial things happening in a <code>Drop</code> handler</p>



<a name="171436555"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171436555" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171436555">(Jul 22 2019 at 14:44)</a>:</h4>
<p>mostly to get a good error message. I exit the program in the event they ever happen</p>



<a name="171436577"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171436577" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171436577">(Jul 22 2019 at 14:44)</a>:</h4>
<p>otherwise panicking in a <code>Drop</code> handler is not a good time</p>



<a name="171436639"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171436639" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171436639">(Jul 22 2019 at 14:45)</a>:</h4>
<p>iirc it used to print "You’ve met with a terrible fate, haven’t you?"</p>



<a name="171438762"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171438762" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171438762">(Jul 22 2019 at 15:10)</a>:</h4>
<p>sure, yeah -- however, sometimes you can't keep it stateless</p>



<a name="171438786"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171438786" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171438786">(Jul 22 2019 at 15:11)</a>:</h4>
<p>e.g. you're passing panics over FFI boundary and then re-panicking</p>



<a name="171439766"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171439766" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171439766">(Jul 22 2019 at 15:22)</a>:</h4>
<p>haha yeah, fortunately I'm not doing anything like that</p>



<a name="171439779"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171439779" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171439779">(Jul 22 2019 at 15:22)</a>:</h4>
<p>just toplevel exception handlers</p>



<a name="171458805"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171458805" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171458805">(Jul 22 2019 at 19:13)</a>:</h4>
<blockquote>
<p>Actually, no, unwinding across the FFI boundary is undefined behaviour, and you also cannot rely on any shared data structures being in a consistent state after Rust panicked, so aborting immediately is actually the only reasonable thing Rust can do when plugged into other languages</p>
</blockquote>
<p>We use <code>catch_unwind</code> at every FFI boundary and return an error indicator (usually our ol' friend <code>NULL</code>).</p>



<a name="171458845"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171458845" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171458845">(Jul 22 2019 at 19:13)</a>:</h4>
<p>and you only ever feed it transient state?</p>



<a name="171459022"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171459022" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171459022">(Jul 22 2019 at 19:16)</a>:</h4>
<p>Yes, in fact we serialize everything into a string for input and output.</p>



<a name="171459164"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171459164" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171459164">(Jul 22 2019 at 19:18)</a>:</h4>
<p>Regardless, I agree that many crates aren't panic safe and that's a bad thing. I'm just saying that panic=abort doesn't sound palatable (sometimes, not even feasible) to many people.</p>



<a name="171459393"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171459393" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171459393">(Jul 22 2019 at 19:22)</a>:</h4>
<p>Yeah, we do the same: catch_unwind at FFI boundary, turn into an error on the other end. This still ends up poisioning a mutex, which we keep mainly because of a lack of confidence that our dependencies are still memory safe in the case of a panic.</p>



<a name="171460963"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171460963" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171460963">(Jul 22 2019 at 19:40)</a>:</h4>
<p>I'm just saying "I know what I'm doing" should be opt-in and the safe option the default. But at this point it's too late to change the language (unless it's an edition change?) so we'll have to promote it for binaries I guess</p>



<a name="171461900"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171461900" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171461900">(Jul 22 2019 at 19:52)</a>:</h4>
<p>Again, I'd most like to see a way to opt into a panic-free subset of the language, like <code>[no_std]</code>. I would definitely use it myself.</p>



<a name="171462042"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171462042" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171462042">(Jul 22 2019 at 19:54)</a>:</h4>
<p>I guess in the panic free subset you'd just have slice.get()/get_mut() and not index operators?</p>



<a name="171462120"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171462120" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171462120">(Jul 22 2019 at 19:55)</a>:</h4>
<p>Right.</p>



<a name="171462393"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171462393" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171462393">(Jul 22 2019 at 19:58)</a>:</h4>
<p>If it could be used in small sections that would make sense. For an entire program it sounds rather difficult to work with, TBH.</p>



<a name="171462734"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171462734" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171462734">(Jul 22 2019 at 20:02)</a>:</h4>
<p>Anyway, re: suggesting the use for binaries, in practice panic != abort matters much more in cases where exiting isn't what was going to happen anyway. If you don't catch panics, unwrap() on thread joining, etc. then the amount of safety that this would gain seems rather small</p>



<a name="171463379"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171463379" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171463379">(Jul 22 2019 at 20:09)</a>:</h4>
<p>I think that would encourage people to write code that assumes panics abort. Then they'll run into trouble when they try to factor that code out from their binaries into libraries.</p>



<a name="171463562"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171463562" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171463562">(Jul 22 2019 at 20:11)</a>:</h4>
<p>I think offering more building blocks for secure, no-<code>unsafe</code> programming is a good path forward. In the start of this thread, panics were identified as a source of vulnerabilities, but ultimately those vulnerabilities were also due to the use of <code>unsafe</code>. Arguably the use of <code>unsafe</code> is the primary cause.</p>



<a name="171463870"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171463870" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171463870">(Jul 22 2019 at 20:15)</a>:</h4>
<p><a href="https://github.com/rust-secure-code/safety-dance" target="_blank" title="https://github.com/rust-secure-code/safety-dance">https://github.com/rust-secure-code/safety-dance</a> <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="171464801"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171464801" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171464801">(Jul 22 2019 at 20:26)</a>:</h4>
<blockquote>
<p>ultimately those vulnerabilities were also due to the use of unsafe. Arguably the use of unsafe is the primary cause.</p>
</blockquote>
<p>Yeah, this is more-or-less how I feel too. Removing the need for unsafe seems like the fix for this, more than trying to urge people to abort on panic.</p>



<a name="171478012"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171478012" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171478012">(Jul 22 2019 at 23:44)</a>:</h4>
<p>today for me: people talking about making Erlangy supervisors for Rust threads to restart them when they crash, and also people who think the best option for panicking is to abort <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="171478034"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171478034" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171478034">(Jul 22 2019 at 23:45)</a>:</h4>
<p>to which I say correspondingly: mutable state and <code>PoisonError</code>, and contrarily crash reporters, and also the aforementioned people who want to try to make programs that "let it crash"</p>



<a name="171642630"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171642630" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171642630">(Jul 24 2019 at 20:57)</a>:</h4>
<p>I was thinking about this today, and I remembered previous discussions with the libs team, there's a lot of momentum towards using panics to indicate "you are using this API wrongly" and these APIs are ones that often need to be used to avoid <code>unsafe</code>. There was a discussion about this for <code>copy_within</code>, for example, where there is no version that returns an error on out-of-bounds. In other words, the standard library is sometimes imposing a dichotomy of "avoid <code>unsafe</code>" vs "avoid panics." Later we sometimes end up adding non-panicking versions of the APIs, resulting in API bloat. Perhaps we need a new idiom for communicating API misuse that avoids panics but is more ergonomic than using <code>Result</code> currently is.</p>



<a name="171642734"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/171642734" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#171642734">(Jul 24 2019 at 20:58)</a>:</h4>
<p>In <em>ring</em> we take the opposite approach and try to avoid panics, returning <code>Result</code> an annoying amount. The CSPRNG API is an example where people hate this. (In contrast, BoringSSL uses <code>abort()</code> deep in its internals on CSPRNG failures.)</p>



<a name="172963176"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/172963176" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#172963176">(Aug 11 2019 at 10:23)</a>:</h4>
<p>Could you provide some examples of non-panicking APIs being added later, other than indexing (<code>[x]</code> vs <code>.get(x)</code>)?</p>



<a name="172967417"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/172967417" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#172967417">(Aug 11 2019 at 12:39)</a>:</h4>
<p>was <code>.get</code> added later? I thought it always existed?<br>
Conversely, there are all the <code>checked_*</code> arithmetic operations, but I am not sure if they were added "later".</p>



<a name="172971204"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/panics/near/172971204" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> simulacrum <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/panics.html#172971204">(Aug 11 2019 at 14:35)</a>:</h4>
<p>try_reserve and friends, kinda, though the previous APIs aborted I believe</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>